In which of the access control mechanism the owner of the object decides who can access the object?

From Techotopia

eBookFrenzy.com

Purchase and download the full PDF and ePub versions of this Security+ eBook for only $8.99

One of the key foundations of a comprehensive IT security strategy involves implementing an appropriate level of access control to all computer systems in an organization or enterprise. This chapter of Security+ Essentials will provide an overview of four types of access control for which an understanding is required to achieve CompTIA Security+ certification:

• Discretionary Access Control

• Rule-Based Access Control

• Role-Based Access Control

Contents

The term Access Control is something of an ambiguous term. To some it could be interpreted as controlling the access to a system from an external source (for example controlling the login process via which users gain access to a server or desktop system). In fact, such access control is actually referred to as Authentication or Identity Verification and is not what is meant by Access Control in this context (authentication is covered in detail in the Authentication and Identity Verification chapter of this book).

The term Access Control actually refers to the control over access to system resources after a user's account credentials and identity have been authenticated and access to the system granted. For example, a particular user, or group of users, might only be permitted access to certain files after logging into a system, while simultaneously being denied access to all other resources.

Mandatory Access Control

Mandatory Access Control (MAC) is the strictest of all levels of control. The design of MAC was defined, and is primarily used by the government.MAC takes a hierarchical approach to controlling access to resources. Under a MAC enforced environment access to all resource objects (such as data files) is controlled by settings defined by the system administrator. As such, all access to resource objects is strictly controlled by the operating system based on system administrator configured settings. It is not possible under MAC enforcement for users to change the access control of a resource.

Mandatory Access Control begins with security labels assigned to all resource objects on the system. These security labels contain two pieces of information - a classification (top secret, confidential etc) and a category (which is essentially an indication of the management level, department or project to which the object is available).

Similarly, each user account on the system also has classification and category properties from the same set of properties applied to the resource objects. When a user attempts to access a resource under Mandatory Access Control the operating system checks the user's classification and categories and compares them to the properties of the object's security label. If the user's credentials match the MAC security label properties of the object access is allowed. It is important to note that both the classification and categories must match. A user with top secret classification, for example, cannot access a resource if they are not also a member of one of the required categories for that object.

Mandatory Access Control is by far the most secure access control environment but does not come without a price. Firstly, MAC requires a considerable amount of planning before it can be effectively implemented. Once implemented it also imposes a high system management overhead due to the need to constantly update object and account labels to accommodate new data, new users and changes in the categorization and classification of existing users.

Unlike Mandatory Access Control (MAC) where access to system resources is controlled by the operating system (under the control of a system administrator), Discretionary Access Control (DAC) allows each user to control access to their own data. DAC is typically the default access control mechanism for most desktop operating systems.

Instead of a security label in the case of MAC, each resource object on a DAC based system has an Access Control List (ACL) associated with it. An ACL contains a list of users and groups to which the user has permitted access together with the level of access for each user or group. For example, User A may provide read-only access on one of her files to User B, read and write access on the same file to User C and full control to any user belonging to Group 1.

It is important to note that under DAC a user can only set access permissions for resources which they already own. A hypothetical User A cannot, therefore, change the access control for a file that is owned by User B. User A can, however, set access permissions on a file that she owns. Under some operating systems it is also possible for the system or network administrator to dictate which permissions users are allowed to set in the ACLs of their resources.

Discretionary Access Control provides a much more flexible environment than Mandatory Access Control but also increases the risk that data will be made accessible to users that should not necessarily be given access.

Role Based Access Control

Role Based Access Control (RBAC), also known as Non discretionary Access Control, takes more of a real world approach to structuring access control. Access under RBAC is based on a user's job function within the organization to which the computer system belongs.

Essentially, RBAC assigns permissions to particular roles in an organization. Users are then assigned to that particular role. For example, an accountant in a company will be assigned to the Accountant role, gaining access to all the resources permitted for all accountants on the system. Similarly, a software engineer might be assigned to the developer role.

Roles differ from groups in that while users may belong to multiple groups, a user under RBAC may only be assigned a single role in an organization. Additionally, there is no way to provide individual users additional permissions over and above those available for their role. The accountant described above gets the same permissions as all other accountants, nothing more and nothing less.

Rule Based Access Control

Rule Based Access Control (RBAC) introduces acronym ambiguity by using the same four letter abbreviation (RBAC) as Role Based Access Control.

Under Rules Based Access Control, access is allowed or denied to resource objects based on a set of rules defined by a system administrator. As with Discretionary Access Control, access properties are stored in Access Control Lists (ACL) associated with each resource object. When a particular account or group attempts to access a resource, the operating system checks the rules contained in the ACL for that object.

Examples of Rules Based Access Control include situations such as permitting access for an account or group to a network connection at certain hours of the day or days of the week.

As with MAC, access control cannot be changed by users. All access permissions are controlled solely by the system administrator.

By Robert Townsend on November 21, 2018

Background –

Considered one of the most crucial assets in a company, access control systems hold significant value. The term ‘access control’ refers to “the control of access to system resources after a user’s account credentials and identity have been authenticated and access to the system has been granted.” Access control is used to identify a subject (user/human) and to authorize the subject to access an object (data/resource) based on the required task. These controls are used to protect resources from unauthorized access and are put into place to ensure that subjects can only access objects using secure and pre-approved methods. Three main types of access control systems are: Discretionary Access Control (DAC), Role Based Access Control (RBAC), and Mandatory Access Control (MAC).

Discretionary Access Control (DAC) –

DAC is a type of access control system that assigns access rights based on rules specified by users. The principle behind DAC is that subjects can determine who has access to their objects. The DAC model takes advantage of using access control lists (ACLs) and capability tables. Capability tables contain rows with ‘subject’ and columns containing ‘object’. The security kernel within the operating system checks the tables to determine if access is allowed. Sometimes a subject/program may only have access to read a file; the security kernel makes sure no unauthorized changes occur.

Implementation –

This popular model is utilized by some of the most popular operating systems, like Microsoft Windows file systems.

Figure 1 – https://www.codeproject.com/Articles/10811/The-Windows-Access-Control-Model-Part-4

Role-Based Access Control (RBAC) –

RBAC, also known as a non-discretionary access control, is used when system administrators need to assign rights based on organizational roles instead of individual user accounts within an organization. It presents an opportunity for the organization to address the principle of ‘least privilege’. This gives an individual only the access needed to do their job, since access is connected to their job.

Implementation-

Windows and Linux environments use something similar by creating ‘Groups’. Each group has individual file permissions and each user is assigned to groups based on their work role. RBAC assigns access based on roles. This is different from groups since users can belong to multiple groups but should only be assigned to one role. Example roles are: accountants, developer, among others. An accountant would only gain access to resources that an accountant would need on the system. This requires the organization to constantly review the role definitions and have a process to modify roles to segregate duties. If not, role creep can occur. Role creep is when an individual is transferred to another job/group and their access from their previous job stays with them.

Figure 2 – https://www.docops.ca.com/ca-identity-governance/12-6-02-cr1/EN/getting-started/access-governance-and-rbac

Mandatory Access Control (MAC) –

Considered the strictest of all levels of access control systems. The design and implementation of MAC is commonly used by the government. It uses a hierarchical approach to control access to files/resources. Under a MAC environment, access to resource objects is controlled by the settings defined by a system administrator. This means access to resource objects is controlled by the operating system based on what the system administrator configured in the settings. It is not possible for users to change access control of a resource. MAC uses “security labels” to assign resource objects on a system. There are two pieces of information connected to these security labels: classification (high, medium, low) and category (specific department or project – provides “need to know”). Each user account is also assigned classification and category properties. This system provides users access to an object if both properties match. If a user has high classification but is not part of the category of the object, then the user cannot access the object. MAC is the most secure access control but requires a considerable amount of planning and requires a high system management due to the constant updating of objects and account labels.

Implementation-

Other than the government’s implementation of MAC, Windows Vista-8 used a variant of MAC with what they called, Mandatory Integrity Control (MIC). This type of MAC system added integrity levels (IL) to process/files running in the login session. The IL represented the level of trust the object would have. Subjects were assigned an IL level, which was assigned to their access token. IL levels in MIC were: low, medium, high, and system. Under this system, access to an object was prohibited unless the user had the same level of trust, or higher than the object. Windows limited the user to not being able to write or delete files with a higher IL. It first compared IL levels, then moved on to checking the ACLs to make sure the correct permissions are in place. This system took advantage of the Windows DAC system ACLs and combined it with integrity levels to create a MAC environment.

Figure 3 – https://www.thewindowsclub.com/mandatory-integrity-control

Conclusion –

Access controls are used to prevent unauthorized access to system resources. By implementing access control systems that fit your organization, you can better manage your assets. DAC, RBAC, and MAC access control systems are models that have been used to create access control systems that provide reliability and security. Businesses with smaller applications will find DAC to be easier to implement. Others with highly confidential or sensitive information may decide to use RBAC or MAC systems.

Sources –

https://www.tedsystems.com/3-types-access-control-which-right-building/

https://www.stor-guard.com/article/types-of-access-control-systems-for-effective-personnel-security-43

https://searchsecurity.techtarget.com/feature/CISSP-online-training-Inside-the-access-control-domain

https://searchsecurity.techtarget.com/definition/mandatory-access-control-MAC

https://resources.infosecinstitute.com/cissp-access-control-domain/#gref

https://www.techotopia.com/index.php/Mandatory,_Discretionary,_Role_and_Rule_Based_Access_Control

https://searchdatacenter.techtarget.com/answer/DAC-and-MAC-safety

http://www.cs.cornell.edu/courses/cs5430/2015sp/notes/dac.php